winnie boosted

There's talk of implementing KASLR in #FreeBSD during the #devsummit today.

It would be absolutely nonsensical to land KASLR, since FreeBSD uses kernel infoleaks as features.

To be effective, KASLR requires plugging each and every infoleak.

The KVA is extremely limited, too.

winnie boosted

andrew lee just seized over 700 channels on freenode because they mentioned libera.chat in their topic.

This includes projects like openbsd, wikimedia, FOSDEM, etc.

archive.is/uHw1g shows 720 channels that match what is being checked.

here's an example log: gist.github.com/pushcx/ab2a1d5

boost this if you care about foss in any way.

winnie boosted

If you follow #FreeBSD commits, you recently got a history lesson by Kirk McKusick in a lengthy, but informative, commit log message: cgit.FreeBSD.org/src/commit/?i

winnie boosted

@requiem @thegibson If I may be allowed to be pedantic here, I ask that my words be considered with some gravity.

The issue isn't static logic. The issue is divorcing instruction decoding from instruction set design to attain performance goals not originally built into the ISA.

It takes, for example, several clock cycles just to decode x86 instructions into a form that can then be readily executed. Several clocks to load the code cache. Several clocks to translate what's in the code cache into a pre-decoded form in the pre-decode cache. Several clocks to load a pre-decode line into the instruction registers (yes, plural) of the instruction fetch unit. A clock to pass that onto the first of (I think?) three instruction decode stages in the core. Three more clocks after that, you finally have a fully decoded instruction that the remainder of the pipelines (yes, plural) can potentially execute.

Of course, I say potentially because there's register renaming happening, there's delays caused by waiting for available instruction execution units to become available in the first place, there's waiting for result buses to become uncontested, ...

The only reason all this abhorrent latency is obscured is because the CPU literally has hundreds of instructions in flight at any given time. Gone are the days when it was a technical achievement that the Pentium had 2 concurrently running instructions. Today, our CPUs, have literally hundreds.

(Consider: a 7-pipe superscalar processor with 23 pipeline stages, assuming no other micro-architectural features to enhance performance, still offers 23*7=161 in-flight instructions, assuming you have some other means of keeping those pipes filled.)

This is why CPU vendors no longer put cycle counts next to their instructions anymore. Instructions are pre-decoded into short programs, and it's those programs (strings of "micro-ops", hence micro-op caches, et. al.) which are executed by the core on a more primitive level.

Make no mistake: the x86 instruction set architecture we all love to hate today has been shambling undead zombie for decades now. RISC definitely won, which is why every x86-compatible processor has been built on top of RISC cores since the early 00s, if not earlier. Intel just doesn't want everyone to know it because the ISA is such a cash cow these days. Kind of like how the USA is really a nation whose official measurement system is the SI system, but we continue to use imperial units because we have official definitions that maps one to the other.

Oh, but don't think that RISC is immune from this either. It makes my blood boil when people say, "RISC-V|ARM|MIPS|POWER is immune."

No, it's not. Neither is MIPS, neither is ARM, neither is POWER. If your processor has any form of speculative execution and depends on caches for maintaining instruction throughputs, which is to say literally all architectures on the planet since the Pentium-Pro demonstrated its performance advantages over the PowerPC 601, you will be susceptible to SPECTRE. Full stop. That's laws of physics talking, not Intel or IBM.

Whether it's implemented as a sea-of-gates in some off-brand ASIC or if it's an FPGA, or you're using the latest nanometer-scale process node by the most expensive fab house on the planet, it won't matter -- SPECTRE is an artifact of the micro-architecture used by the processor. It has nothing whatsoever to do with the ISA. It has everything to do with performance-at-all-costs, gotta-keep-them-pipes-full mentality that drives all of today's design requirements.

I will put the soapbox back in the closet now. Sorry.

winnie boosted

The #picoplanet from @bleeptrack provides the missing screenshot key for the #pinephone ✨🪐🚀

winnie boosted

Almost ready to release this into the wild. Another two or three months, and we'll take the #infosec community by storm.

Unfortunately, I can't share too much more than this right now.

winnie boosted

Effective today, I've resigned from the #OPNsense Core Team. I wish OPNsense the best of luck in the future.

forum.opnsense.org/index.php?t

winnie boosted

Gearing up to sell this next generation 4U security appliance based on #HardenedBSD that can do 40Gbps full pcap, store 1.5PB of data, run analytics on and enrich the stored data.

Does inline IDS/IPS (or sit on a span) and run as your network firewall.

einpresswire.com/article/53773

winnie boosted

@lattera @solene I've been enjoying grml zsh config, mainly due its git handling. Shows not only branch, but TAB completion for git add shows you overview of modified and not yet added files in two categories.

Bought an old ProLiant Workstation on eBay recently. Navigating through "Intelligent Provisioning" EFI utility, hitting TAB until I got this on the left bottom screen. Can't fall asleep. Afraid of nightmares.

winnie boosted

I just convinced the CEO, CFO, and CTO to transition our entire dev team to be internal #OPNsense developers. :) :) :)

Building security appliances that can do full pcap at 40Gbps line rate based on #HardenedBSD, #OPNsense, and other awesome tech.

As of today, I've reached my dream job.

winnie boosted
winnie boosted

role to bootstrap a @Hetzner_Online Cloud VM with an encrypted rootfs. It's ugly and not idempotent, but does the job pretty well. SSH hostkeys management included. Most of it can be used for other hosters/bare metal. github.com/msgpeek/ansible-rol

Show older
ieji.de

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!